Not as big or uncommon as McAfee made it out to be, say Sophos, Symantec, Kaspersky

A host of antivirus companies and technology blogs have questioned McAfee’s claims that it had uncovered a massive cyber snoop which some analysts said emanated from China.

Last week, computer security company McAfee had said that it had detected a major cyber attack on the networks of governments, organisations and businesses.

The company did not name China, but had said that a “state actor” was behind the attacks which have been “raping and pillaging” companies and government agencies for over five years.

Analysts blamed China for the the cyber espionage dubbed ‘Operation Shady RAT’ by McAfee, though they said that it could be the work of Russia as well.

Victims of the snooping campaign include: governments of Canada, India, South Korea, Taiwan, the US and Vietnam; international bodies such as the UN, the Association of Southeast Asian Nations (ASEAN), the International Olympic Committee, the World Anti-Doping Agency; 12 US defence contractors, one UK defence contractor; and companies in construction, energy, steel, solar power, technology, satellite communications, accounting and media, said an AFP report.

McAfee vice-president of Threat Research Dmitri Alperovitch had said that the attacker was looking for information in military, diplomatic and economic domains.

He said that the loss represents a massive economic threat. “This is the biggest transfer of wealth in terms of intellectual property in history,” Alperovitch said. “The scale at which this is occurring is really, really frightening.”

The People’s Daily said last week, “Linking China to Internet hacking attacks is irresponsible.”

“The McAfee report claims that a ‘state actor’ engaged in hacking for a large-scale Internet espionage operation, but its analysis clearly does not stand up to scrutiny.”

“In fact, as hacking attacks against internationally renowned companies or international organisations have increased this year, some Western media have repeatedly described China as ‘the black hand behind the scenes’.”

First, Graham Cluley of rival security firm Sophos said the industry should wait before proclaiming this the biggest cyber-attack of all time. “What the report doesn’t make clear is what information was stolen from the targeted organisations, and how many computers at each business were affected,” he wrote on his blog.

“I can’t help but feel that we can’t call “Operation Shady RAT” (McAfee’s name, by the way) the biggest ever cyber-attack without having questions like those answered.”

He also queried suggestions that China was behind the attacks. “The report (quite rightly, in my opinion) refuses to name who it believes is responsible for the hack. Nevertheless, the media have leapt to the conclusion, with a nudge and a wink, that it simply must be China, despite the lack of any evidence in the report that it is China.”

“I don’t think we should be naive. I’m sure China does use the internet to spy on other countries. But I’m equally sure that just about every country around the world is using the internet to spy. Why wouldn’t they? It’s not very hard, and it’s certainly cost effective compared to other types of espionage,” he said.

Symantec said its findings confirm that the victims ranged from government agencies to private companies. However, it added that no country could be held responsible for the attack.

The company said, “There has been some discussion of this being a government-sponsored attack. However, the finger can’t be pointed at any particular government. Not only are the victims located in various places around the globe, so too are the servers involved in these attacks.”

The company also played down claims that Operation Shady RAT is a massive breach.

It said, “While this attack is indeed significant, it is one of many similar attacks taking place daily. Even as we speak, there are other malware groups targeting many other organisations in a similar manner in order to gain entry and pilfer secrets.

The company added, “is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case.”

Kaspersky Lab chief security expert Alex Gostev wrote to US news media, “McAfee makes two interesting assumptions: first — that a series of attacks has taken place; second — that valuable data has been stolen … However, the report contains nothing on what particular data has been stolen or how many computers in each organisation were hit by the attacks.

The names of the malicious programs listed in the document that are in some way related to the server in question are too general: particularly which trojans have been used cannot be established. And as far as we are aware McAfee has not provided samples of the trojans to other antivirus companies, as normally occurs in the industry in situations like these.”